RFR: 8481: Update lz4-java to 1.10.1 [v3]
Alex Macdonald
aptmac at openjdk.org
Fri Dec 12 22:19:10 UTC 2025
On Fri, 12 Dec 2025 19:58:46 GMT, Alex Macdonald <aptmac at openjdk.org> wrote:
>> There's currently a security advisory open for the version of lz4-java we are using. lz4-java had been archived, but has been updated by a new maintainer with a fix for the security issue.
>>
>> See: https://github.com/yawkat/lz4-java/security/advisories/GHSA-cmp6-m4wj-q63q
>
> Alex Macdonald has refreshed the contents of this pull request, and previous commits have been removed. The incremental views will show differences compared to the previous content of the PR. The pull request contains one new commit since the last revision:
>
> 8481: Update lz4-java to 1.10.1
Hm, taking a look at the jar that's pulled in from maven central, the packages aren't exported:
Manifest-Version: 1.0
Automatic-Module-Name: org.lz4.java
Build-Jdk-Spec: 21
Bundle-ManifestVersion: 2
Bundle-Name: lz4-java
Bundle-SymbolicName: lz4-java
Bundle-Version: 0
Import-Package: java.io,java.lang,java.lang.reflect,java.nio,java.util
,java.util.zip,sun.misc
Originally-Created-By: Maven JAR Plugin 3.4.1
Private-Package: net.jpountz.lz4,net.jpountz.util,net.jpountz.util.dar
win.aarch64,net.jpountz.util.darwin.x86_64,net.jpountz.util.linux.aar
ch64,net.jpountz.util.linux.amd64,net.jpountz.util.linux.i386,net.jpo
untz.util.linux.ppc64le,net.jpountz.util.linux.s390x,net.jpountz.util
.win32.amd64,net.jpountz.xxhash
Require-Capability: osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))"
-------------
PR Comment: https://git.openjdk.org/jmc/pull/694#issuecomment-3648333983
More information about the jmc-dev
mailing list